What is Social Engineering?

Social Engineering is a collection of human exploit techniques designed to manipulate people into performing actions and/or confiding personal information with malicious intent. These human exploits make even the most secure networks susceptible to remote attacks.

Persons of any level of intelligence are vulnerable to deception by an experienced Social Engineer.

“THE IT SCENARIO”

“Good Morning, this is Chip from the IT department. We have received numerous phone calls from throughout the building regarding network outages. Have you yourself experienced any issues this morning with connectivity? …. Well it appears as though from what I’ve established so far the latency issue seems to be stemming from somewhere in your department. I’d like to run a few system checks to see what the connection speeds are from your machine but I’m not at my desk at the moment so I am unable to pull up your login credentials. I’m going to go ahead and login remotely from the station I am working at right now, you’ll see me playing around with the mouse on your screen once I have connected…. I promise not to close out to many of your unsaved documents while I run my tests (laugh). Ok, what is your username and password…”

“Pretexting” is a social engineering method by which an invented scenario is created ,such as the example above to persuade an individual to freely disclose vital information or perform a task. This method of social engineering is generally done remotely via the phone. Much like other methods pretexting requires a fair amount of reconnisance work to make the scenario more believable. The more information you have readily available about the target and the task or information you want them to preform and/or divuldge the more plausible your scenario will appear thus creating a more solid sense of trust between you and the individual.

To the majority of business professionals’ working day to day in corporate America this conversation would have seemed completely innocuous and they would have been happy to divulge their system information thus allowing someone else to access their machine through a remote desktop connection thus making the network susceptible to an attack.

This is but only one example of the techniques used by Social Engineers.

Reconnaissance

Information gathering and data mining are an essential part of successfully Social Engineering a target. There are countless techniques and tools to use in preparation, and the amount of information varies based on the target and magnitude of the attack.

Some of these techniques and tools are “Dumpster Diving” and “Shoulder Surfing”, as well as computer based mining tools like Google and Maltego. While it is nice to stay fresh smelling and use the web to crawl for your information sometimes there is no substitute for doing the dirty work the old fashioned way.

“Dumpster Diving” is one of the oldest forms of information reconnaissance. Remember, this isn’t the Olympics and there are no points for form so forget about doing the half-pike off the dock into the 30yard dumpster and just get in there and search!

A word of caution on this part, Dumpster diving itself is not a federal crime, while some state and local ordinances may supersede this, trash picking is in itself not a crime and does not violate a companies or individuals rights to privacy under common law as stated in the California v. Greenwood U.S Supreme Court case. That being said, trespassing is illegal!

Business and Individuals alike discard sensitive information in regular unsecured waste refuse containers everyday including printouts with passwords, credit card information, email listings, internal phone directories, etc. This information can then be used to gain access directly to the network in some cases or as background information for a more sophisticated social engineering scenario.

Many companies as of late have contracted out to third party shredding providers to help cut down and eliminate the amount of sensitive materials that are discarded in the normal waste refuse. That being said, a large number employee still discard materials at their own workstation versus the provided alternative receptacles so the information is still out there you just need to be willing to do the dirty work.

“Shoulder Surfing” is another form of tech-less information gathering. It refers to the direct observation of individuals in an attempt to gain privilege information such as login credentials, PIN #’s, etc.. This method is extremely effective when executed in a crowd, as it is easier to stand near the individual without being overly suspicious.

An afternoon of coffee and lattes in a public area or even a trip to the gym can yield a vast amount of information. Overwhelming amounts of people are creatures of habit and repetition; this makes them more susceptible to being exploited. People become fixated on numbers and use them over and over again. Locker combos are their voice-mail password, their voice-mail password their bank PIN #, their bank PIN # their birthday, etc. Why? Because the numbers are easier to remember that way.

“The Friendly Stranger” is another technique that follows along more so with the confidence man scams of the late 50’s only done now so for information versus material items. Unlike Pretexting scenarios that are usually initiated via the phone, The Friendly Stranger requires direct contact with your target.

An example of this technique would be to initiate a friendly chat with your target at a local bar. You seat yourself next to the target and then casually introduce yourself at an opportune time. After building up a dialog with the individual wait for a “Bridge” moment to arise in which you can introduce important information elements into the conversation.

A “Bridge” moment is a timed opportunity to bridge a conversation to a key topic. An example of this is if a dog food commercial appears on the television, you could initiate a “Bridge” moment by sharing that you had a dog once when you were a child that looked just like that, share his/her name, and then pose a question to the individual as to whether or not they ever had a dog before and what was his/her name. In appearance it’s a very harmless question but in reality that answer could allow you access to their email address later as numerous online email account use simple security questions like “What was your first pets name?” as a security question in the event that you loose your login credentials and need to have them reset.

With a little precursory knowledge about the various email providers, most of the security questions that they pose in the event of lost credentials are topics that could be raised in a friendly everyday conversation. This type of account security measure is also used by other online entities as well such as Myspace.com, Facebook.com, etc…

Google and the “Googledork” - “Google search engine is a endless source of information, you need only to know how to find it.”

Almost anything you ever need to know about any subject you can find on Google. Search modifiers allow for more specific search strings in google(i.e. inurl:, intitle:, indexof:, filetype:[modifier], rphonebook:, bphonebook:, etc..) These are but a few examples of Google search directorives. When used correctly they create specific search strings to narrow down the results.

Why would google play a part in Social Engineering? Simple, Google indexes just about everything on the net such as social networking sites, forums, articles, phonebooks, and the list goes on. With a wealth of information cached away it can provide you with all you need to know.

“Maltego” is an open source program designed to graphically displayed 6 degrees of separation but for real world relationships and links between people, companies, organization, affiliations, etc… Maltego is a collection of modules linked together in an open source framework.

Maltego provides you with the ability to quickly and accurately establish connections between individuals and companies even making it possible to see hidden connections. It’s unique in that its core framework can be customized and adapted to meet your specific needs. The use of Maltego’s extensive modules for the information gathering phase make it possible to work faster and more accurately in establishing connections.

There are countless other methods of gaining information for Social Engineering recon. Company PBX voicemail systems are good for establishing names of people within the company using the dial name or department. This way when you are crafting your scenario you are able to incorporate more valid information into your scenario thus making it more plausible.

The Scenario

The human element is the variable in Social Engineering. Mainframes, crypto, MD5 hash passwords, etc.. they are the constants. No two Social Engineering feats will ever be the same as no two people will ever react in exactly the same manner so it all comes down to the scenario. This is the manner in which you put forth the information you have gathered in your recon.

A good lie is a half-truth as it is more believable and will make you more credible from the start. If you go to a company durring the day and tell them your from the power company and there is a problem with the breaker while the lights are on they are going to be more so suspicious than if you were to do that same thing durring a power outage. Believability is the key.

There are numerous factors to consider when looking to establish a plausible scenario, one of which is the size of the company. If company X only has 10 employees than the statistical odds of raisings someones suspicions when you say your from the “IT Department” are significantly greater than if company X has 1000 employees. Another factor to consider is what you hope to accomplish in exploiting the target, are you merely looking to gather more information from them to be used on a larger scaled scenario or is there a specific task you wish for them to perform.

As in all things believability is key. Companies that utilize caller identification systems are less likely to be cooperative with someone calling for information from an outside line. Spoofing your caller ID to show that you are calling from an internal number again increases your legitimacy drastically. Third party services make this possible for as little as $.05 a minute.

An example of a physical media scenario is the “Road Apple“. The Road Apple plays of the curiosity of the unsuspected target by enticing them with the proverbial forbidden fruit. Ex… I place a trojan shell on a CD and label the CD as “Company X’s Performance Reviews” and leave it in the rest room at company X on the counter. The statistical odds show that the first person to see that CD will in fact take it to their workstation and try to load the data at which point they have unknowingly compromised their companies network security.

Final Thoughts..

Persons of any level of intelligence are vulnerable to deception by an experienced Social Engineer.

-Int3rc3pt